MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.
PUBLISHED5.2CWE-674
MessagePack-CSharp: DynamicUnionResolver generated deserializers miss depth enforcement
Problem type
Affected products
MessagePack-CSharp
MessagePack-CSharp
>= 3.1.7, < 3.1.7 - AFFECTED
< 2.5.301 - AFFECTED
References
GitHub Security Advisories
GHSA-wfr3-xj75-pfwh
MessagePack-CSharp: DynamicUnionResolver-generated deserializers miss depth enforcement
https://github.com/advisories/GHSA-wfr3-xj75-pfwhSummary
Runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths.
This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step.
Impact
Applications are affected when they deserialize untrusted payloads into object graphs containing [Union]-decorated interfaces or abstract classes handled by DynamicUnionResolver.
An attacker can provide a union payload with an unknown key and a deeply nested value. Because the generated union formatter does not enter the depth accounting scope before skipping or recursively processing the value, configured depth limits can be bypassed. In combination with recursive skip behavior, this can terminate the process with an uncatchable StackOverflowException.
This issue is narrower than the general TrySkip() recursion issue because it specifically concerns a formatter-generation path that fails to count union nesting. It remains independently fixable because the emitted IL should mirror the depth-step behavior used by source-generated union formatters and dynamic object formatters.
Affected components
- Package:
MessagePack - API:
DynamicUnionResolver.BuildDeserialize - Data types:
[Union]-decorated interface and abstract class hierarchies handled by the dynamic resolver - Finding ID:
MESSAGEPACKCSHARP-070
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should emit DepthStep and matching reader.Depth-- cleanup in dynamic union deserializers, consistent with other recursive formatter implementations.
Workarounds
Patching is recommended.
Until a patched version is available, avoid deserializing untrusted payloads into dynamically resolved [Union] types. Prefer source-generated formatters that include depth checks, where applicable, and enforce outer message-size and schema constraints.
Resources
MESSAGEPACKCSHARP-070: dynamic union deserializer missing depth-step enforcement- CWE-674: Uncontrolled Recursion
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-48513Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-48513",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T21:12:43.104Z",
"dateReserved": "2026-05-21T16:18:10.618Z",
"datePublished": "2026-06-22T21:12:43.104Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T21:12:43.104Z"
},
"title": "MessagePack-CSharp: DynamicUnionResolver generated deserializers miss depth enforcement",
"descriptions": [
{
"lang": "en",
"value": "MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7."
}
],
"affected": [
{
"vendor": "MessagePack-CSharp",
"product": "MessagePack-CSharp",
"versions": [
{
"version": ">= 3.1.7, < 3.1.7",
"status": "affected"
},
{
"version": "< 2.5.301",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-674: Uncontrolled Recursion",
"cweId": "CWE-674",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-wfr3-xj75-pfwh",
"name": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-wfr3-xj75-pfwh",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{}
]
}
}
}